Heterogeneous Windows Network Administration

Topic

New Reply

I don’t know whether this post will get any readers. I hope so, because I’m hoping someone will have some ideas for me (sympathy works, too). I’m semi-retired after a career mostly in IT services. I manage a small size network (40+ hosts) for a 24/7/365 business run by a cousin.

We support operating systems ranging from Windows 98 2nd Edition to Windows 10 on desktops and Windows 2012R2 (soon to be Windows 2016) on servers. The older machines support specific hardware. We could replace the in-house hardware but new equipment would not be an exact match for the old. We aren’t big enough to demand that our customers replace good working equipment with new equipment. I’m reminded of the article by Will Fastie on the Dymo Label printer.

I spend a fair amount of time working on hardening our electronic security posture. Unfortunately, because of old hardware, there is no way I can remove the Windows XP clients. Business management is done using Windows 10 clients, but those clients need to access files generated on Windows XP clients. SMBv1 still lives on a third of the clients. Some of the older systems can be segmented away, but don’t think that will cover all of the cases. Most of the employees are not technically sophisticated, so transparent solutions are necessary.

This issue surfaced again due to the Windows Updates in December. KB5021294 (December Security Monthly Rollup) blocked SMBv1 on our network. Uninstalling the update from both domain controllers was sufficient to restore SMBv1 functionality. I’m pretty sure this was an unintended consequence, as nothing that I read from Microsoft called out this behavior. A quick online search did not show that this was a problem for anyone else; admittedly I have a corner case. It’s not reasonable to expect Microsoft to do regression testing back any further than their currently supported systems (or maybe a bit more – say back to Windows 7). Still, it took me some time to figure out what caused the problem and how to fix it, and I won’t get that time back.

The computer industry changes much faster than most other industries. If a computer is loosely integrated into a larger system, this isn’t much of a problem. For instance, moving from Windows 7 to Windows 10 and re-installing applications is usually straightforward. The worker affected by the change is expected to manage any required adaptation. If a computer is tightly integrated into a larger system, this can be a major problem. Larger systems have longer life cycles (sometimes much longer). I suspect that designers consider the computer to be a modular component that is easily replaced. That’s just not true after several years.

This is not intended to be a rant (although I admit feeling a bit grumpy). This isn’t an emergency cry for help. I keep busy learning how to harden networks. If anyone faces a similar situation and would like to share solution strategies or just some war stories, I’d be grateful to hear from you. Thanks.

Reply | Quote

Replies

https://droidrant.com/can-windows-xp-use-smb2/

XP can be made to support SMB v2.

The December updates included auditing of Kerberos.  I’m wondering if that was your issue?  What’s your domain controller OS?

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

Thank you for your quick response. I had already seen the page you referenced.

It doesn’t actually contain a method for installing SMBv2 (or later) on windows XP.  It  does contain information on patching SMBv1 vulnerabilities and interoperation with later operating system versions. As far as I know, SMBv2 arrived with Windows Vista and Windows Server 2008, and there was no retrofit for Windows XP. Wikipedia has a good article on SMB, a lengthy list of references, and pointers to the Microsoft SMB specifications.

I’m not sure I see why auditing Kerberos should cause the problem I described. The domain controllers (and all member servers) are running Windows Server 2012R2. The domain and forest functional levels are 2012R2.

I imagine you’re very busy, and I appreciate your time. Thanks.

Reply | Quote

From that article:

If you have a Windows XP machine and you have been wondering if it supports the SMB2 protocol, you can enable it using Windows features. To do this, open the Start menu and type “turn windows features on.” Look for SMB 1.0/CIFS File Sharing Support and select it. After this, you should be able to see SMB2 in the network properties.

cheers, Paul

Reply | Quote

Thanks for the quote. Unfortunately, the article is not quite what it claims to be. If you have the time, you might want to spin up a Windows XP and try to follow the instuctions.

Reply | Quote

Securing a network with such old clients means denying all external access IMO. The downside is you can’t update anything, particularly anti virus.
The next best option is to place the old / unsupported machines on a separate network that does not have external access and store the files on a server that has access to both networks.

You also need to consider ransomware protection – image backups of each machine and daily  incremental file backups, all in a protected store. This can be done for circa $1k with a NAS.

cheers, Paul

Reply | Quote

Thanks for your response. Allow me to clarify a few points:

All external access to and from any system older than Windows 7 is already accomplished at the network boundary by a firewall/router appliance. The older systems have no off-LAN access.

Updates are not an issue – there are no antivirus products available. There are legacy products that still run but there are no signature updates available. None of these systems have any software installed that is not directly related to their business purpose.

Segmentation would not be straightforward. The business requires data from these older systems. The data is used for billing, payroll, and customer service. Just mirroring the data to a gateway server is problematic. Older implementations of SMBv1 are not router friendly. Having a gateway server still allows for the possibility of lateral migration. It is not clear that the time, effort, and expense of pursuing this avenue would be significantly change the situation. Micro-segmentation might help, but I don’t know if that’s even reasonable in my environment.

Ransomware is a valid argument for good backups, but certainly not the only one. Over the years, we’ve suffered much more from hardware failures than from ransomware. We have a comprehensive daily, weekly, monthly GFS backup scheme in place for every host on the network. It runs every night and is checked almost every morning (sometimes I take a day off). We actually have four NAS units serving a variety of archiving and backup roles. (Shout out to Veeam – not cheap, somewhat complex, better than anything else I’ve used).

Reply | Quote

Not having a copy of XP I was relying on the article being accurate. Seems you can’t believe everything you read on the internet. 

I see you are doing pretty much everything that can be done – this wasn’t clear in your OP.

I would still be looking at other ways to get the data off the old machines in case patching causes more issues.

cheers, Paul

Reply | Quote

I have an old XP in a VM, I’ll fire it up.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote